Bug#778530: phpbb3: Q&A Captcha allows bots when new language packs are installed

Mon, 16 Feb 2015 03:42:50 -0800 

Package: phpbb3
Version: 3.0.10-4+deb7u2
Severity: normal
Tags: upstream

The Q&A captcha plugin normally does not allow an empty question set
as per the manual, section "How to configure Q&A CAPTCHA". However, if
you install a language pack after you have configured the Q&A, the
enabled Q&A for the new languages will have an empty question set,
allowing bots to register without *any* security checks.

The result that installing language packs impacts security seems as a
non-obvious effect. Either a warning, a safer failure of the Q&A
CAPTCHA, or having empty language sets falling back to other languages
would be a large improvement to the current situation.

/Björn Påhlsson

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-0.bpo.4-amd64 (SMP w/16 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages phpbb3 depends on:
ii  apache2                                    2.2.22-13+deb7u4
ii  apache2-mpm-itk [httpd]                    2.2.22-13+deb7u4
ii  boa [httpd]                                0.94.14rc21-3.1
ii  dbconfig-common                            1.8.47+nmu1
ii  debconf [debconf-2.0]                      1.5.49
ii  libapache2-mod-php5                        5.4.36-0+deb7u3
ii  mysql-client                               5.5.41-0+wheezy1
ii  mysql-client-5.5 [mysql-client]            5.5.41-0+wheezy1
ii  php5                                       5.4.36-0+deb7u3
ii  php5-cgi                                   5.4.36-0+deb7u3
ii  php5-cli                                   5.4.36-0+deb7u3
ii  php5-gd                                    5.4.36-0+deb7u3
ii  php5-mysql                                 5.4.36-0+deb7u3
ii  php5-pgsql                                 5.4.36-0+deb7u3
ii  php5-sqlite                                5.4.36-0+deb7u3
ii  postgresql-client                          9.1+134wheezy4
ii  postgresql-client-9.1 [postgresql-client]  9.1.15-0+deb7u1
ii  ucf                                        3.0025+nmu3

Versions of packages phpbb3 recommends:
ii  php5-imagick                    3.1.0~rc1-1+b2
ii  postfix [mail-transport-agent]  2.9.6-2

Versions of packages phpbb3 suggests:
ii  mysql-server  5.5.41-0+wheezy1
ii  phpbb3-l10n   3.0.10-4+deb7u2
ii  postgresql    9.1+134wheezy4

-- debconf information excluded

-- debsums errors found:
debsums: changed file 
/usr/share/phpbb3/www/includes/functions_profile_fields.php (from phpbb3 
package)


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to